Did this page help you? Yes No Tell us about it...

Set Up the Security Group

VPC getting started: Create security group

You're now ready to create a security group for your VPC.

A security group is just a group of instances that shares a common set of rules that determine what traffic is allowed in and out of the instances. To use security groups, you create a group, add the inbound and outbound rules you want the group to use, and then launch instances into the group. You can add and remove rules from the group, and those changes automatically apply to the instances in the group.

The instances in a security group don't have to be in the same subnet in your VPC. Conversely, instances in the same subnet don't have to belong to the same security group. The following diagram illustrates how a subnet can have instances in more than one security group: two of the instances in the subnet are in group A, whereas the other two instances in that same subnet are in group B.

Security groups are separate from subnets

	Important
Security groups are an existing concept used in Amazon EC2. However, the security groups you use in your VPC are different from the ones you use in EC2. If you're already an EC2 user, you can't use your existing security groups in your VPC. You must create new ones specifically for use in your VPC. However, the group names you use in your VPC can duplicate the group names you use in EC2 because each group has a unique AWS-assigned ID. There are other differences between the two types of groups. However, for this exercise you just need to know that VPC security groups have both inbound and outbound rules, whereas EC2 security groups have only inbound rules. For more information about VPC security groups and how they differ from EC2 security groups in EC2, go to Security Groups in the Amazon Virtual Private Cloud User Guide.

Important

Security groups are an existing concept used in Amazon EC2. However, the security groups you use in your VPC are different from the ones you use in EC2. If you're already an EC2 user, you can't use your existing security groups in your VPC. You must create new ones specifically for use in your VPC. However, the group names you use in your VPC can duplicate the group names you use in EC2 because each group has a unique AWS-assigned ID.

There are other differences between the two types of groups. However, for this exercise you just need to know that VPC security groups have both inbound and outbound rules, whereas EC2 security groups have only inbound rules. For more information about VPC security groups and how they differ from EC2 security groups in EC2, go to Security Groups in the Amazon Virtual Private Cloud User Guide.

Creating Your WebserverSG Group

For this exercise, you create a security group called WebServerSG, and launch an instance into the group.

You also add rules to the WebServerSG group that enable:

Inbound HTTP and HTTPS traffic from anywhere
Inbound SSH and Remote Desktop (RDP) traffic from your home network
Outbound HTTP and HTTPS traffic to anywhere

	Note
	This exercise adds SSH access for Linux/UNIX instances and RDP access for Windows instances. Your company might run only Linux or only Windows, so then you would need a rule for only one type of access.

The following figure shows the WebServerSG security group as a circle. The arrows pointing in and out of the security group circle represent the inbound and outbound rules you set for the group. Following the figure is a table that lists the inbound and outbound rules for the group and what they do.

Inbound
Source IP	Protocol	Port Range	Comments
0.0.0.0/0	TCP	80	Allow inbound HTTP access from anywhere
0.0.0.0/0	TCP	443	Allow inbound HTTPS access from anywhere
Public IP address range of your home network	TCP	22	Allow inbound SSH access from your home network
Public IP address range of your home network	TCP	3389	Allow inbound RDP access from your home network
Outbound
Dest IP	Protocol	Port Range	Comments
0.0.0.0/0	TCP	80	Allow outbound HTTP access to servers on the Internet (e.g., for software updates)
0.0.0.0/0	TCP	443	Allow outbound HTTPS access to servers on the Internet (e.g., for software updates)

Inbound rules regulate the traffic that is allowed to come into the instances in the group (i.e., the source of the traffic and the listening port on the instance). All return traffic is automatically allowed. For example, if a client on the Internet sends a request to a web server in your VPC inside the WebServerSG, the instance can respond, regardless of any outbound rules on the group. In this way, security groups are stateful.

Outbound rules control which destinations the instances in the group can send traffic to (i.e., the destination of the traffic and the destination port). All return traffic (i.e., a response from the host that received the traffic) is automatically allowed back into the instances, regardless of the inbound rules set on the security group.

	Note
	Your VPC comes with a default security group. Any instance not in another group automatically belongs to this group. Although we could use the default security group for this exercise, we've chosen to create the WebServerSG group instead.

To create the WebServerSG security group

In the Navigation pane, click Security Groups.

	Note
	This page shows all security groups that belong to your AWS account, including those you use in your VPC, and any EC2 groups you have. The VPC security groups have a value listed in the VPC ID column. You can filter the list to show only one type of security group if you want.

Click Create Security Group.
The Create Security Group dialog box opens.
Enter the name for your security group (WebServerSG), enter a description of the group, select your VPC's ID from the VPC menu, and click Yes, Create.
The security group is created in your VPC and appears on the Security Groups page. Notice that it has an ID (e.g., sg-xxxxxxxx). You might have to turn on the Group ID column by clicking Show/Hide in the top right corner of the page.

You now have your WebServerSG security group. By default, every new security group starts with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

To add rules to the security group

In the list of security groups, select the check box for the group you just created.
The lower pane displays the security group's details. There are also two tabs: one for working with the group's inbound rules and one for the outbound rules.
Add rules for inbound HTTP and HTTPS access to the group from anywhere:
1. On the Inbound tab, select HTTP from the Create a new rule drop-down list.
2. Make sure the Source field's value is 0.0.0.0/0 and click Add Rule.
  The rule to allow HTTP access from anywhere (i.e., 0.0.0.0/0) is added to the Inbound tab, and an asterisk appears on the tab to indicate that you still need to click Apply Rule Changes. You'll apply rule changes after you've added all the inbound rules.
3. Select HTTPS from the Create a new rule drop-down list and click Add Rule.
  The rule to allow HTTPS access from anywhere (i.e., 0.0.0.0/0) is added to the Inbound tab.

Add rules for inbound SSH and Remote Desktop (RDP) access to the group from your home network's public IP address range:

On the Inbound tab, select SSH from the Create a new rule drop-down list.
In the Source field, enter your home network's public IP address range (e.g., 192.0.2.0/24). If you don't know this address range, you can use 0.0.0.0/0 temporarily for this exercise.
Click Add Rule.
The rule is added to the Inbound tab.
Select RDP from the Create a new rule drop-down list.

In the Source field, enter your home network's public IP address range. If you don't know this address range, you can use 0.0.0.0/0 temporarily for this exercise.

	Caution
	If you use 0.0.0.0/0, you enable all IP addresses to access your instance using SSH or RDP. This is acceptable for the short exercise, but it's unsafe for production environments. In production, you'll authorize only a specific IP address or range of addresses to access your instance.

Click Add Rule.
The rule is added to the Inbound tab.

Click Apply Rule Changes.
The new inbound rules now apply to the security group, and the asterisk no longer appears on the tab.
Limit outbound access to only HTTP and HTTPS from the group to anywhere:
1. On the Outbound tab, locate the default rule that enables all outbound traffic, and click Delete.
  The rule is marked for deletion, and an asterisk appears on the tab. The deletion will not take effect until you click Apply Rule Changes, which you'll do after adding new outbound rules to the group.
2. Select HTTP from the Create a new rule drop-down list and click Add Rule.
  The rule allowing outbound HTTP access to anywhere (i.e., 0.0.0.0/0) is added to the Outbound tab. However, the rule will not be applied to the group until you click Apply Rule Changes, which you'll do after you've added all the outbound rules.
3. Select HTTPS from the Create a new rule drop-down list and click Add Rule.
  The rule allowing outbound HTTPS access to anywhere (i.e., 0.0.0.0/0) is added to the Outbound tab.
Click Apply Rule Changes.
The default rule is deleted, and the new outbound rules now apply to the security group.

The VPC now includes a security group that you'll use when launching an instance in your next task. The group allows HTTP/HTTPS access in and out of the group to and from anywhere. The group also allows inbound SSH and RDP access from your home network's public IP address range. The group is not currently set up to enable instances inside the group to talk to each other. If you want that type of communication, you must add a rule to the security group to enable it. For more information about setting up security groups, go to Security Groups in the Amazon Virtual Private Cloud User Guide.

	Tip
	If you want another layer of security in addition to security groups, you can use network ACLs. Network ACLs control traffic at the subnet level. This exercise uses only security groups, which control traffic at the instance level. To learn more about network ACLs, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.

The next task is to launch an instance into your subnet using the new security group you just set up.

Document Conventions
Terms of Use

Did this page help you? Yes No Tell us about it...